Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-07 Thread Bob Sneidar via use-livecode
Thanks Peter. I see some things in there that help me understand better what the salting does. I will probably incorporate this in my app fairly soon. I store passwords for various things, and want to make sure they are as secure as possible. Once I get it working I think I will put up a

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-07 Thread Peter TB Brett via use-livecode
On 07/03/2017 15:28, Bob Sneidar via use-livecode wrote: Thanks Peter. But then how will I know programmatically if the password is correct or not? Hi Bob, Here's a worked example of what I'm talking about. Peter

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-07 Thread Bob Sneidar via use-livecode
NVM I think I see. I hash the user's password entry and compare the value to what is stored. But if the stored hash is an asymmetric one and cannot be decrypted, what is all the fuss about? Rainbow tables are all that is left, and you cannot create rainbow tables for every possible methodology.

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-07 Thread prothero--- via use-livecode
You encrypt the trial password and compare the encrypted values. Bill William Prothero http://ed.earthednet.org > On Mar 7, 2017, at 3:28 PM, Bob Sneidar via use-livecode > wrote: > > Thanks Peter. But then how will I know programmatically if the password is >

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-07 Thread Bob Sneidar via use-livecode
Thanks Peter. But then how will I know programmatically if the password is correct or not? Bob S > On Mar 6, 2017, at 02:53 , Peter TB Brett via use-livecode > wrote: > > > > On 03/03/2017 18:00, Bob Sneidar via use-livecode wrote: >> It looks like the

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-06 Thread Peter TB Brett via use-livecode
On 03/03/2017 18:00, Bob Sneidar via use-livecode wrote: It looks like the encrypt command is already using this method if the "with salt" arguement is provided? At least the encrypted result starts with "salted" and at least part of the salt value. Hi Bob, The "encrypt" command provides

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-04 Thread Tom Glod via use-livecode
this discussion has been very useful on many fronts. I'm going to have fewer nightmares about security. On Fri, Mar 3, 2017 at 1:00 PM, Bob Sneidar via use-livecode < use-livecode@lists.runrev.com> wrote: > It looks like the encrypt command is already using this method if the > "with salt"

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-03 Thread Bob Sneidar via use-livecode
It looks like the encrypt command is already using this method if the "with salt" arguement is provided? At least the encrypted result starts with "salted" and at least part of the salt value. Bob S > On Mar 1, 2017, at 07:37 , Bob Sneidar via use-livecode >

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-02 Thread Peter TB Brett via use-livecode
On 02/03/2017 19:28, Alejandro Tejada via use-livecode wrote: How difficult would be to guess a sha1 digest, if we repeat it many, many times? Just as Peter Brett wrote in a previous message: put sha1Digest(sha1Digest(sha1Digest(tData))) -- 3 times! Don't do this. It will make it

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-02 Thread Lagi Pittas via use-livecode
Excellent points Axwald especially the last paragraph. Happy Happy Happy Fun Fun Fun!! ;-) On 2 March 2017 at 10:20, axwald via use-livecode < use-livecode@lists.runrev.com> wrote: > Hi, > > > Dr Peter Brett wrote > > On 24/02/2017 18:47, axwald via use-livecode wrote: > > [...] > >> Not a

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-02 Thread axwald via use-livecode
Hi, Dr Peter Brett wrote > On 24/02/2017 18:47, axwald via use-livecode wrote: > [...] >> Not a specialist regarding this, but wouldn't it be possible to interface >> such? >>> https://github.com/jedisct1/libsodium >> >> @Lagi: The first customer already called to ask if I'd use "this security

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-01 Thread Peter TB Brett via use-livecode
On 01/03/2017 18:22, Richard Gaskin via use-livecode wrote: The answer turns out to be: "Quite good - pull request submitted, status changed to 'Awaiting Build'" - i.e. "done!" http://quality.livecode.com/show_bug.cgi?id=14223 Many thanks to Peter Brett for addressing this, and implementing it

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-01 Thread Richard Gaskin via use-livecode
This thread title asks: "What are the chances this will be addressed in LC?" The answer turns out to be: "Quite good - pull request submitted, status changed to 'Awaiting Build'" - i.e. "done!" http://quality.livecode.com/show_bug.cgi?id=14223 Many thanks to Peter Brett for addressing this,

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-01 Thread Peter TB Brett via use-livecode
On 01/03/2017 15:37, Bob Sneidar via use-livecode wrote: Hi Peter. Very informative thank you. In the example, [protected form] = [salt] + protect([protection func], [salt] + [credential]); It looks like they are saying to prepent the salt prior to the protect function (in the case of LC

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-01 Thread Bob Sneidar via use-livecode
Hi Peter. Very informative thank you. In the example, [protected form] = [salt] + protect([protection func], [salt] + [credential]); It looks like they are saying to prepent the salt prior to the protect function (in the case of LC that would be encrypt) but if someone got access to the SQL

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-03-01 Thread Peter TB Brett via use-livecode
On 28/02/2017 15:46, Bob Sneidar via use-livecode wrote: Thanks for that Peter! I've been thinking about a way to encrypt data for storage in database systems for things like passwords and server credentials. Now to figure out how to decrypt it... Hi Bob, Never store user passwords in clear

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-28 Thread Bob Sneidar via use-livecode
NVM I'm a moron. It's there but I overlooked it. Bob S > On Feb 28, 2017, at 12:27 , Richard Gaskin via use-livecode > wrote: > > I had written "shaONEdigest" only to draw attention to the "1" ("ONE"), just > in case you'd tried "l" ("L") instead. > > It's

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-28 Thread Richard Gaskin via use-livecode
Bob Sneidar wrote: >> On Feb 28, 2017, at 09:33 , Richard Gaskin wrote: >> Bob Sneidar wrote: >> >> > I cannot find a function called sha1digest in the LC library. >> >> It's sha-ONE-digest, and it's been around for a while so it should >> be there. >> > > I search for SHA in the dictionary,

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-28 Thread Phil Davis via use-livecode
One thing I discovered just now: the items listed in the API tab of the Dictionary are not necessarily in alphabetic order by default. I discovered it by typing 'sh' into the Filter box and looking at the list, top to bottom. Things weren't where I expected them to be! After I clicked the

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-28 Thread Phil Davis via use-livecode
However, this works: put sha1Digest("dfgdfgdghgdhfgh") So we know it's there. FWIW - Phil Davis On 2/28/17 11:05 AM, Bob Sneidar via use-livecode wrote: I search for SHA in the dictionary, nada. I type sha1digest in to a script, right click it, nada. I type shaONEdigest in a script,

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-28 Thread Mark Wieder via use-livecode
On 02/28/2017 11:05 AM, Bob Sneidar via use-livecode wrote: I search for SHA in the dictionary, nada. It's in the dictionary. Maybe you have a filter enabled that's masking it? -- Mark Wieder ahsoftw...@gmail.com ___ use-livecode mailing list

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-28 Thread Bob Sneidar via use-livecode
I search for SHA in the dictionary, nada. I type sha1digest in to a script, right click it, nada. I type shaONEdigest in a script, right click it, nada. Bob S > On Feb 28, 2017, at 09:33 , Richard Gaskin via use-livecode > wrote: > > Bob Sneidar wrote: > > >

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-28 Thread Richard Gaskin via use-livecode
Bob Sneidar wrote: > I cannot find a function called sha1digest in the LC library. It's sha-ONE-digest, and it's been around for a while so it should be there. -- Richard Gaskin Fourth World Systems Software Design and Development for the Desktop, Mobile, and the Web

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-28 Thread Bob Sneidar via use-livecode
err... This does not work. I cannot find a function called sha1digest in the LC library. Bob S > On Feb 27, 2017, at 02:49 , Peter TB Brett via use-livecode > wrote: > > Or, in LiveCode: > >function HmacSha1(pKey, pData) >return sha1digest(pKey &

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-28 Thread Bob Sneidar via use-livecode
Thanks for that Peter! I've been thinking about a way to encrypt data for storage in database systems for things like passwords and server credentials. Now to figure out how to decrypt it... Bob S > On Feb 27, 2017, at 02:49 , Peter TB Brett via use-livecode >

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-27 Thread Peter TB Brett via use-livecode
On 24/02/2017 18:47, axwald via use-livecode wrote: few days ago I read about PHP incorporating a modern crypto lib now: https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library Not a specialist regarding this, but wouldn't it be

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-25 Thread Dan Brown via use-livecode
For those interested there is a SHA-1 collider here to have a play with https://alf.nu/SHA1 On 25 Feb 2017 3:18 p.m., "Dr. Hawkins via use-livecode" < use-livecode@lists.runrev.com> wrote: > On Sat, Feb 25, 2017 at 5:15 AM, Keith Martin via use-livecode < > use-livecode@lists.runrev.com> wrote:

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-25 Thread Dr. Hawkins via use-livecode
On Sat, Feb 25, 2017 at 5:15 AM, Keith Martin via use-livecode < use-livecode@lists.runrev.com> wrote: > While Google may include a backdoor (something I consider unlikely but I > realise that's no less conjecture than '100% certainty'), the Natural News > issue isn't what the site owners paint

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-25 Thread Keith Martin via use-livecode
An aside response... > Read between the lines Google doesn't use it so obviously people will start > using Google's which will with 100% certainty will have a backdoor in it > looking as to how they removed 140,000 indexed pages of www.naturalnews.com > after the owner didn't give in to

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-24 Thread axwald via use-livecode
Hi, few days ago I read about PHP incorporating a modern crypto lib now: > https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library Not a specialist regarding this, but wouldn't it be possible to interface such? >

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-24 Thread Bob Sneidar via use-livecode
I dl'd and also sent him some money. Bob S > On Feb 24, 2017, at 09:56 , Richard Gaskin via use-livecode > wrote: > > Peter covered why it should be done in C, but if you really need sha256 today > Mark Smith's libSHA includes a scripted version: > >

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-24 Thread Richard Gaskin via use-livecode
Lagi Pittas wrote: > Why does it need to be a part of the language and not a widget > or a library stack which we can all fiddle with for our projects, > which would make it more difficult for the bad boys to decrypt? Peter covered why it should be done in C, but if you really need sha256

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-24 Thread Peter TB Brett via use-livecode
On 24/02/2017 17:18, Lagi Pittas via use-livecode wrote: Why does it need to be a part of the language and not a widget or a library stack which we can all fiddle with for our projects , which would make it more difficult for the bad boys to decrypt? Cryptographic hash implementations have a

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-24 Thread Lagi Pittas via use-livecode
Why does it need to be a part of the language and not a widget or a library stack which we can all fiddle with for our projects , which would make it more difficult for the bad boys to decrypt? Lagi On 24 February 2017 at 17:15, Tom Glod via use-livecode < use-livecode@lists.runrev.com> wrote:

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-24 Thread Tom Glod via use-livecode
Its good to hear its being looked at by the core team. I trust the most obvious correct decision will be made eventually. On Fri, Feb 24, 2017 at 11:28 AM, Richard Gaskin via use-livecode < use-livecode@lists.runrev.com> wrote: > As much as I enjoy chatting with other users, a while back I had

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-24 Thread Richard Gaskin via use-livecode
As much as I enjoy chatting with other users, a while back I had hoped to make this more actionable by submitting an enhancement request for sha256: http://quality.livecode.com/show_bug.cgi?id=14223 The challenge with satisfying that request is two fold: - sha2 is not a single algo, but a

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-24 Thread Lagi Pittas via use-livecode
Hi I didn't say they shouldn't do it I said I won't lose any sleep over it. I don't think it needs to be built in either - just a library will do and everybody can tweak it a little bit so that NOBODY knows which one it is - that'll piss TPTB off. Lagi On 24 February 2017 at 13:58, Dan Brown

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-24 Thread Dan Brown via use-livecode
It may cost $110,000 today but the computational cost of executing this exploit will decrease year on year until it is trivial to perform. I would think it much better to address this issue immediately so that applications being made now are future proofed. There is also the PR element to

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-24 Thread Tom Glod via use-livecode
thanks for sharing your thoughts on this Lagi, you make some good points. On Fri, Feb 24, 2017 at 5:44 AM, Lagi Pittas via use-livecode < use-livecode@lists.runrev.com> wrote: > I think everybody is overplaying this. > > It will only matter if the amount of money or other advantages is worth at

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

2017-02-24 Thread Lagi Pittas via use-livecode
I think everybody is overplaying this. It will only matter if the amount of money or other advantages is worth at least $110,000. The algorithm executed in Amazons cloud at the cheapest rate would cost that much in processing to get 1 key. The only people that will waste YOUR money to do this